[DONE] password for users in wheel group

This forum is dedicated to basic help and support :

Ask here your questions about basic installation and usage of Mageia. For example you may post here all your questions about getting Mageia isos and installing it, configuring your printer, using your word processor etc.

Try to ask your questions in the right sub-forum with as much details as you can gather. the more precise the question will be, the more likely you are to get a useful answer

[DONE] password for users in wheel group

Postby rychok » Feb 12th, '14, 04:58

I have now three computers running Mageia4 one was installed as RC and updated to 4, the other two were updated from Mageia3.
All of them have same behavior as far as authentication for some tasks usually required root password to start.
AFAIK wheel group users had some extra convenience and the root password was active for them for some time. Now if I become wheel group member I'm asked for my user password instead of root password, so one level of security is missing, only one password is required to do administrative tasks. And even if I ask in MCC for "Administrator" password ( are we having more peoples from Microsoft? In UNIX/Linux it used to be "root") for software management, and other MCC tasks I'm always asked for my user password. At this point I just removed myself from wheel group.

I do not know if this is a bug, or some miss-configuration that happened during upgrade, or - I can't thing of the reason why it might be - it was changed deliberately and it is now default behavior?
Last edited by rychok on Feb 16th, '14, 01:47, edited 1 time in total.
rychok
 
Posts: 59
Joined: Jul 9th, '13, 03:03

Re: password for users in wheel group

Postby doktor5000 » Feb 12th, '14, 17:48

At first, there was a major change for authentication, at least for the Mageia tools: https://wiki.mageia.org/en/Mageia_4_Rel ... entication
And a quick grep shows that by default members of the wheel group get additional priviledges, see /etc/polkit-1/rules.d/50-default.rules

So I'd say at least that far it works as designed so far, as no user is in wheel group by default. By default Mageia tools require root
password for almost all of them and you can change the required authentication via draksec as mentioned in the Release Notes.

For polkit configuration also see https://wiki.archlinux.org/index.php/Po ... identities or maybe http://askubuntu.com/questions/184085/p ... roup-wheel
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 18073
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: password for users in wheel group

Postby colin » Feb 12th, '14, 17:50

This "users in wheel group are considered as administrators" is an upstream polkit default.

The rule is defined here: /etc/polkit-1/rules.d/50-default.rules

Since our tools have migrated to polkit (as opposed to usermode consolehelper) this rule now kicks in (the same behaviour for polkit has been present since MGA2 IIRC, so it's only exposed here rather than a "change" in polkit behaviour)

Other tasks that required polkit auth (e.g. changing date and time, adding users etc in GNOME) would have followed this rule for a while, so we're standardising now.

Hope this helps!

Col
colin
 
Posts: 53
Joined: Jul 25th, '11, 11:15

Re: password for users in wheel group

Postby doktor5000 » Feb 12th, '14, 22:25

colin wrote:This "users in wheel group are considered as administrators" is an upstream polkit default.

The rule is defined here: /etc/polkit-1/rules.d/50-default.rules

That's what the arch wiki says too - but thanks for commenting :D
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 18073
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: password for users in wheel group

Postby rychok » Feb 13th, '14, 03:34

Thank you for your replies.
I took a quick look into polkit man page, from what I have seen there is an additional package with desktop rules that was not installed during update. This package changed a little behavior for password requirements. After installing it I was able to access MCC without entering my password for some time, but without icon in systray with option to stop it (what was nice to have), but even all the rules in polkit configuration for draktoos have "KEEP" in the values, when I was accessing drakrpm from menu, I was asked for password every time. My assumption was that in this case it should gave me some time for lunching drakrpm without asking for password again. Forcing of retyping user password in my opinion is lowering security (all my computers are home computers, and no one is going to try get my password by watching what I am typing), and is a little step back in convenience. I also think the two step authentication (user and root passwords) for administration was more secure, but for personal desktop may not be required.
rychok
 
Posts: 59
Joined: Jul 9th, '13, 03:03

Re: password for users in wheel group

Postby doktor5000 » Feb 13th, '14, 23:56

Well, I don't quite get your point.
You can configure all draktool to either require user or root or no password via draksec:
https://doc.mageia.org/mcc/4/en/content/draksec.html (looks a bit different actually in Mageia 4)

Don't quite understand what your requirements are or the use case.
(Usually for my own box I configure sudo for passwordless stuff and switch e.g. update applet to require no password for convenience)
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 18073
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: password for users in wheel group

Postby rychok » Feb 14th, '14, 04:01

Mostly I was just trying to find out if this is a new way of handling this, or my update did not go correctly at some point.
So I do see now why there is a change in MCC and for Mageia tools there is no more option for root password, instead we have administrator (any wheel group member) password.
I did not have polkit desktop policy package installed so I was asked for password every time I was opening MCC (even few seconds apart- I was doing this just for checking), with this package there is a grace period for lunching MCC.
But I thing there is some inconsistency because this ruled do not apply for opening software management invoked from menu. This one is asking for password every time. Again I do not see this as any issue, in my case I will just remove myself from wheel group, that will practically bring the previous behavior for single user system.
rychok
 
Posts: 59
Joined: Jul 9th, '13, 03:03

Re: password for users in wheel group

Postby doktor5000 » Feb 14th, '14, 20:40

rychok wrote:So I do see now why there is a change in MCC and for Mageia tools there is no more option for root password, instead we have administrator (any wheel group member) password.


Sorry, you got that wrong. root password is administrator password, that's just the wording in polkit dialog and comes from upstream, not from Mageia.
By adding users to wheel group, you grant them special administrative permissions.

Please mark the thread accordingly by editing the topic of the first post and prefix it by [DONE], thanks
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 18073
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany


Return to Basic support

Who is online

Users browsing this forum: No registered users and 1 guest